All companies are aware of the growing risk of cyberattacks, yet few are taking the steps necessary to protect critical information. The key? Senior managers need to lead.
June 2014 | byTucker Bailey, James Kaplan, and Chris Rezek
Why isn’t more being done to protect critical information assets? Senior executives understand that the global economy is still not sufficiently protected against cyberattacks, despite years of effort and annual spending of tens of billions of dollars. They understand that risk alone undermines trust and confidence in the digital economy, reducing its potential value by as much as $3 trillion by 2020.1 They understand most institutions have technology- and compliance-centric cybersecurity models that don’t scale, limit innovation, and provide insufficient protection. And they understand that institutions need to develop much more insight into the risks they face, implement differential protection for their most important assets, build security into broader IT environments, leverage analytics to assess emerging threats, improve incident response, and enlist frontline users as stewards of important information.
The importance of cybersecurity is no secret to anyone who’s opened a newspaper or attended a board meeting. So, senior executives may ask, what’s the holdup? The answer is simple: understanding the issue is quite different from effectively addressing it. A number of structural and organizational issues complicate the process of implementing business-driven, risk-management-oriented cybersecurity operating models, and only sustained support from senior management can ensure progress and ultimately mitigate the risk of cyberattacks.
Second, the implications of cybersecurity are pervasive—and that alone impedes the adoption of risk-mitigation strategies. Cybersecurity touches every business process and function, not only in operations but also in customer care, marketing, product development, procurement, human resources, and public affairs. Just two examples: product-development decisions often increase the volume of sensitive customer data that is collected, while procurement decisions can create the risk that vendors will treat sensitive intellectual property with less care than required.
Third, cybersecurity risk is difficult to quantify. There’s no single quantitative metric such as value at risk for cybersecurity, making it much harder to communicate the urgency to senior managers and engage them in required decisions. As one chief financial officer told us, “It feels like we’re constantly spending more on security, but I have no idea whether that’s enough or even what it does.”
Finally, it’s hard to change user behavior. For many institutions, the biggest vulnerability lies not with the company but with its customers. How do you prevent users from clicking on the wrong link, allowing their machines to be infected with malware? How do you stop them from transferring incredibly sensitive information to consumer services that may not be secure? Breaking through the noise at most institutions to communicate with frontline managers about cybersecurity risks is tough enough, let alone mitigating risks that are ostensibly beyond your control.
As part of research we undertook with the World Economic Forum on cybersecurity,2 we had the opportunity to interview executives from more than 200 institutions and perform deep dives on cybersecurity risk-management practices with more than 60 of the world’s 500 largest companies. Senior-management time and attention was identified as the single biggest driver of maturity in managing cybersecurity risks—more important than company size, sector, and resources provided. Our research also found that senior-management engagement varies dramatically. In some companies, the CISO meets the CEO every few weeks. Yet in others, the CISO has never met the CEO. In fact, the CISO may report to the chief technology officer, who reports to the chief information officer, who then reports to the CFO.
So what does senior management need to do? Among those companies that are making the most progress toward developing cyberresiliency, we identified four actions common among senior managers:
Pervasive digitization, open and interconnected technology environments, and sophisticated attackers make cybersecurity a critical social and business issue. If inadequately addressed, it could materially slow the pace of technology and business innovation in the years to come. That’s why companies must make rapid progress toward cyberresiliency, and only sustained focus and support from top management can overcome myriad structural and organizational hurdles. We know it’s possible—at some companies, this process is already under way. But it must take place on a broader scale if companies are to protect their critical information assets while retaining the ability to innovate and grow.
McKinsey’s James Kaplan explains what executives can do to protect their companies against cyberattacks.
Structural hurdles to addressing cybersecurity
There are a number of factors that make getting the right cybersecurity capabilities in place difficult for large institutions. First, competitive imperatives mean executives must accept a certain level of cyberattack risk. As a chief information-security officer (CISO) at an investment bank said, “If I did as thorough a security assessment as I would like before we nailed up a direct connection to a hedge fund, our prime-brokerage business would cease to exist.” What this means is that in order to protect themselves without limiting their ability to innovate, companies have to make sophisticated trade-offs between risks and customer expectations.Second, the implications of cybersecurity are pervasive—and that alone impedes the adoption of risk-mitigation strategies. Cybersecurity touches every business process and function, not only in operations but also in customer care, marketing, product development, procurement, human resources, and public affairs. Just two examples: product-development decisions often increase the volume of sensitive customer data that is collected, while procurement decisions can create the risk that vendors will treat sensitive intellectual property with less care than required.
Third, cybersecurity risk is difficult to quantify. There’s no single quantitative metric such as value at risk for cybersecurity, making it much harder to communicate the urgency to senior managers and engage them in required decisions. As one chief financial officer told us, “It feels like we’re constantly spending more on security, but I have no idea whether that’s enough or even what it does.”
Finally, it’s hard to change user behavior. For many institutions, the biggest vulnerability lies not with the company but with its customers. How do you prevent users from clicking on the wrong link, allowing their machines to be infected with malware? How do you stop them from transferring incredibly sensitive information to consumer services that may not be secure? Breaking through the noise at most institutions to communicate with frontline managers about cybersecurity risks is tough enough, let alone mitigating risks that are ostensibly beyond your control.
Senior managers must lead
Cybersecurity is a CEO-level issue. The risks of cyberattacks span functions and business units, companies and customers. And given the stakes and the challenging decisions posed by becoming cyberresilient, making the decisions necessary can only be achieved with active engagement from the CEO and other members of the senior-management team.As part of research we undertook with the World Economic Forum on cybersecurity,2 we had the opportunity to interview executives from more than 200 institutions and perform deep dives on cybersecurity risk-management practices with more than 60 of the world’s 500 largest companies. Senior-management time and attention was identified as the single biggest driver of maturity in managing cybersecurity risks—more important than company size, sector, and resources provided. Our research also found that senior-management engagement varies dramatically. In some companies, the CISO meets the CEO every few weeks. Yet in others, the CISO has never met the CEO. In fact, the CISO may report to the chief technology officer, who reports to the chief information officer, who then reports to the CFO.
So what does senior management need to do? Among those companies that are making the most progress toward developing cyberresiliency, we identified four actions common among senior managers:
- Actively engaging in strategic decision making. Just as with other types of enterprise risk, CEOs and the rest of the senior-management team must provide input on the organization’s overall level of risk appetite for loss of intellectual property, disclosure of customer information, and disruption of business operations. Subsequent to that, business-unit heads—and their management teams—must engage with cybersecurity managers to help prioritize information assets and make specific trade-offs between risk reduction and operational impact.
- Driving consideration of cybersecurity implications across business functions. Senior managers at leading companies ensure business managers incorporate cybersecurity considerations into product, customer, and location decisions, while functional leaders are responsible for addressing cybersecurity considerations in human-resources and procurement decisions. In addition, they make sure that the disclosure of cybersecurity priorities is incorporated into the company’s public-affairs agenda.
- Pushing changes in user behavior. Given how much sensitive data senior managers interact with, they have the chance to change and model their own behavior for the next level of managers. This can begin with simple steps, such as becoming more judicious about forwarding documents from corporate to personal e-mail accounts. In addition, senior management can and should provide the communications “airtime” and reinforcement required to help frontline employees understand what they need to do to protect critical information assets.
- Ensuring effective governance and reporting is in place. No matter how thoughtful a set of cybersecurity policies and controls may be, some managers will seek to circumvent them. Senior management obviously needs to make sure that policies and controls make sense from a business standpoint. If they do, senior managers then need to backstop the cybersecurity team to help with enforcement. In addition, senior management should put in place effective, granular reporting on how the company is progressing against specific milestones in its cybersecurity program.